[whatwg] Adding crossorigin="" to more elements

Boris Zbarsky bzbarsky at MIT.EDU
Mon Jun 17 04:50:38 PDT 2013


On 6/17/13 7:38 AM, Anne van Kesteren wrote:
> On Fri, Nov 30, 2012 at 11:47 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
>> Right.  My point was that "cross-origin" for the case of stylesheet at least
>> in Gecko depends on the origin of the script that tries to modify them, not
>> on the origin of the document that linked to them...
>
> Is there a good reason for this? This seems fairly distinct from how
> <img>, <script>, and <video> work.

Just in terms of considering effective script origins instead of origins?

<img> and <video> compare the origin of the canvas to the origin of the 
image/video, if you mean the security check I think you mean.  It 
explicitly doesn't use effective script origin because you can't set 
that on <img>.

<script>, if you mean the onerror checks, in Gecko checks whether the 
effective script origin of the window whose onerror is about to fire 
matches the origin of the script.  And we make the origin of the script 
an alias of the effective script origin of the document it's loaded into 
in cases when the script was either loaded no-cors or passed cors 
security checks.  What do other UAs do?

Again, the default security check in Gecko is always against effective 
script origin, so any check that predates a recent spec is always that 
way.  Whether there's a good reason for it needs to be checked on a 
case-by-case basis.

-Boris



More information about the whatwg mailing list